NameIDFormat emailAddress SAML:2.0 (?)
Peter Schober
peter.schober at univie.ac.at
Fri Nov 22 16:39:20 EST 2019
* Alan Angulo (Office365 admin) <alan at live.esu.edu> [2019-11-22 22:06]:
> The user authenticates correctly but right after the browser goes
> into an infinite redirect.
Looping can have many possible reasons -- cf. the Shibboleth SP's own
documentation[1] on looping with that software implementation -- but
an SP expecting something (here: a NameID in a certain format) and
your IDP not sending it (here: because it's bogus) is certainly
possible.
> The vendor's metadata has this entry:
> <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress</md:NameIDFormat>
>
> I suspect the vendor's metadata is referencing the wrong
> NameIDFormat in his metadata. I am thinking it should be this:
> urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Indeed, see 8.3.2 on p.85 of SAML Core:
https://www.oasis-open.org/committees/download.php/56776/sstc-saml-core-errata-2.0-wd-07.pdf
> Can someone confirm that this is the cause of the problem?
Not quite, it may also be looping for any number of other reasons.
But lacking evidence wrt anything else being wrong/off that's one
place to start.
(You could configure your IDP to send the bogus format just to find
out whether, but don't tell the SP -- or your boss -- you got it
working, otherwise chances are slim the SP has motivation to fix it.)
-peter
[1] https://wiki.shibboleth.net/confluence/display/SP3/Looping
More information about the users
mailing list